Earlier this month, the Information Commissioner’s Office (ICO) issued financial services giant Prudential with a penalty charge of £50,000 for a serious breach of the Data Protection Act (DPA), after a prolonged mix-up of two customers’ accounts.
This is significant because it is the first time that a fine has been levied with no data loss having taken place. It is also unusual because the action was brought against a private-sector organisation.
Unlike their central government counterparts, private organisations are under no obligation to agree to an ICO audit. There is also no legal compulsion and certainly little incentive for companies to admit to a breach, such as the theft of an unencrypted memory stick or an intrusion into their systems by hackers.
However some experts believe that mandatory data breach notification for the private sector in the UK is just a matter of time, in part because of recent EU directives, and also because disclosure is now law in some US states such as California, which provides a precedent.
More leaks mean more laws
The backdrop to all of this is a massive rise in reported breaches of the DPA. According to the ICO, these have jumped ten-fold over the past five years, with a consistent increase in the number of incidents reported every year. To some extent, this increase may be due to the huge rise in data volumes – there’s simply more data to leak – and also to mandatory reporting in the public sector since 2010 (the largest rises have been for councils and other public-sector bodies).
Whatever the cause, these figures will put pressure on politicians to further strengthen the powers of an ICO that is already baring its teeth more than before, extend mandatory audits and reporting, and possibly increase the range of sanctions available to the watchdog. Many argue that even the maximum £500,000 penalty is small beer to a large financial organisation, for example, and unlikely to force a change in attitude.
What will make a difference to corporate boards, though, is customers jumping ship. Unlike local authority services, people can easily take their bank accounts elsewhere. And they do. Custo-mer “churn” is particularly high in the financial services sector.
The charity sector is another in which reputation is vital. In October, social care charity Norwood Ravenswood was served a penalty of £70,000 by the ICO after highly sensitive information about four children was lost. Donors will think twice before giving money to such a careless organisation.
In addition to lost custom, there is the time and expense of putting things right following a serious breach. Such costs can include compensation, helpdesk activities, investigations, training, legal expenditure, product discounts and regulatory interventions.
Hackers make headlines
Despite the headlines, malicious activity – particularly by outsiders – is the least likely cause of a data breach. Most recent studies put all malicious activity (including by internal staff, the source of the majority of attacks) around the 25-30 per cent mark, followed by systems failure, with simple human error topping the list. The proverbial laptop left on a train is a far more common cause of data loss than a successful hack.
That said, malicious attacks are the most costly type of breach. Research by Ponemon and Symantec in 2011 found that such attacks carried an average cost of £90 per record, compared with £62 for a systems glitch. Following a malicious attack an organisation must go into overdrive to bring systems back online, repair any damage, and most importantly communicate with customers and partners. Failure to do so is likely to exacerbate the damage – as the PlayStation arm of Sony found to its cost last year.
Hacks may also be hard to hide. If a website goes down or is defaced, this is obvious for all to see. The other difficulty with protecting against malicious activity is the constantly shifting nature of the environment that needs protecting. Bring your own device (BYOD) is one such disruptive shift. A related one is the increasing use of apps.
A Computing survey of 130 IT professionals running a transactional website found that 15 per cent of them are now taking advantage of the spread of mobile devices by offering their own downloadable app to customers. Of these, around a third were collecting personally identifiable data (PID) such as date of birth, social media logins and credit card information via their apps; similar proportions were recorded for transactional websites (figure 1).
[Click to enlarge]